1. Field of the Invention
The present invention relates to an access control method for packet communication, an access control system using such a method, and a packet communication apparatus.
2. Description of the Related Art
In view of the recent developments of the functions and performance of computers including personal computers and network apparatuses including packet communication apparatuses as well as the overall decrease in their prices, computer networks (simply referred to as ‘network’ hereinafter) employing such computers and network apparatuses are becoming increasingly popular.
In corporations, the role of a network as a tool for smoothly conducting business operations is becoming increasingly important, and oftentimes, valuable data are exchanged over a network. Accordingly, corporations implement security measures such as firewalls to protect data from unauthorized access or virus attacks, for example.
Also, security measures for a network include the following. For example, with respect to the OSI Reference Model Layer 2 (Data Link Layer), MAC address filtering or Virtual LAN (VLAN) path control may be implemented. With respect to the OSI Reference Model Layer 3 (Network Layer), IP address filtering settings may be set up in a packet communication apparatus to limit access by a user (computer) only to authorized areas, for example. The following Patent Documents 1 and 2 disclose exemplary techniques related to access control through filter setting.                Patent Document 1: Japanese Laid-Open Patent Publication No. 2004-62417        Patent Document 2: Japanese Laid-Open Patent Publication No. 2004-15530        
Access control techniques involving filter setting of a packet communication apparatus according to the prior art have the following problems. FIG. 1 is a diagram showing an exemplary configuration of a network. Access control is realized in the illustrated network of FIG. 1 by setting filters in packet communication apparatuses 1-4.
For example, in the case of authorizing communication between a computer operated by a user (referred to as PC hereinafter) 5 and an application server 6 while limiting communication between other computers and the application server 6, filter settings have to be implemented in the packet communication apparatus 2 of the network of FIG. 1
If access is to be controlled at the IP level, rules for authorizing communication between the PC 5 and the application server 6 and rules for limiting communication between other PCs and the application server 6 are set up as IP address filter settings in the packet communication apparatus 2 of the network of FIG. 1 to realize access control.
According to such filter setting technique, provided that the number of users (PCs) making access to servers is denoted as ‘m’ and the number of servers to be accessed is denoted as ‘n’, a total of m×n rules have to be set up in an environment where users (PCs) having specific access rights cannot be consolidated. It is noted that an environment where users having specific access rights cannot be consolidated may refer to a case where users hold differing network addresses, for example.
In practice, since the filter settings are merely rules specifying whether to pass or block a packet, the total number of rules may be reduced to m×n/2. However, when the number of rules is reduced in this manner, it may be difficult to determine whether the non-existence of a rule constitutes a rule or a setting blunder. In the illustrated example, it is assumed that all rules related to communications between PCs 5, 7, 8 and application servers 6, 9 are set in the packet communication apparatuses 1-4.
It is noted that the number or rules set in the packet communication apparatuses 1-4 may be reduced by only setting rules related to the PCs that the respective packet communication apparatuses 1-4 are actually managing within the network. However, in this case, when PC 8 moves to the location of PC 7 as a result of a user moving to another office location with his/her PC, for example, rules relating to the PC 8 that are set in packet communication apparatus 3 have to be set in packet communication apparatus 4. Therefore, the work load of a network manager may be increased in a case where a user frequently moves around with his/her PC, for example.
Also, when an application server 9 is added to the network, for example, a rule related to the application server 9 has to be set in each of the packet apparatuses 1-4. That is, even when only one application server is added to the network, if a total number of ‘i’ packet communication apparatuses exist within the network, the new rule has to be set in each of the ‘i’ number of packet communication apparatuses.
As can be appreciated, the above-described filter setting access control schemes according to the prior art have various problems such as the fact that a large number of m×n rules have to be set in the packet communication apparatuses 1-4, rules have to be reset in the packet communication apparatuses 1-4 when a PC such as PC 8 moves to a new location, and rules have to be added to each of the packet communication apparatuses 1-4 when a server such as the application server 9 is added to the network.
The above problems may be attributed to the fact that filter setting access control schemes according to the prior art depend on the network configuration. In consideration of the recent proliferation of the wireless LAN, user mobility has to be taken into account which may be create a large burden on network manager of filter setting access control schemes according to the prior art.